Facebook is staring down the regulatory barrel as it faces fines from around Europe. French regulator, CNIL, has already claimed €150,000 (£128,000), the maximum fine possible, from the social media giant for tracking those who use the website, and even those who don't. The house that Zuckerberg built may be preparing for a follow-up blast from regulators in Belgium, the Netherlands, Germany and Spain, who are all investigating the company.
CNIL has reported that the fine and the concurrent international investigations are indeed connected, if varied in their infringement claims.
At the heart of the issue is the point that Facebook compiled massive amounts of its user data for targeted advertising as well as tracking both users and non-users through third party websites with the use of the ‘datr' cookie.
At the core of the complaint was that though users could control the display of targeted advertising, they could not object, nor consent to their data being compiled. The use of the ‘datr' cookie belied the fact that users, according to CNIL, could not properly understand the implications of their use of Facebook and that it would be tracking them “on and outside of Facebook”.
At the beginning of 2016, CNIL formally notified Facebook that it would have to comply with French regulation within three months.
Over a year and several ‘unsatisfactory responses' later the regulator decided to bring the hammer down. On 23 March 2017, CNIL fined Facebook €150,000 for its infringements against the 33 million Facebook users in France. The fine was the highest allowed when the regulator started its investigation in 2014 and a change in the law now allowed it to fine companies up to €3 million (£2.6 million).
The investigation was conducted in conjunction the Contact Group, a coalition of European data protection authorities formed after Facebook's global policy revision in November 2014. The announcement of the fine coincided with a variety of damning moves from other European partners.
The Netherlands has flatly declared Facebook to be in violation of data protection law, after an investigation into the company's use of the data of 9.6 million Dutch users. The Belgian Privacy Commission issued recommendations to stop the practices and is currently seeking judicial enforcement against the company. Meanwhile, the data protection authority of Hamburg, Germany has ordered Facebook to stop combining data with its subsidiary WhatsApp without prior consent and the Spanish data protection authority has opened two infringement procedures against the social media giant.
Facebook disagrees. A spokesperson told SC Media UK,“whilst we are disappointed with today's news and respectfully disagree with the CNIL's findings, we value the opportunities we've had to engage with the CNIL and reinforce how seriously we take the privacy of people who use Facebook."
Adding, “Facebook has long complied with EU data protection law through our establishment in Ireland.” In a plea that is commonly used by tech companies in Europe, the jurisdiction that Facebook works in is Ireland, where its European headquarters is located, and so it says it is not subject to the same data protection laws that its users may be protected by.
The Contact group contends that Facebook actually has offices in multiple countries in Europe and that these offices aim to increase the sale of targeted advertising, and thus involve the handling of personal data. The group wrote in a statement that, “the activities of these offices are “inextricably linked” to the data-processing by the Facebook Group.”
The culture clash between data devouring American social platforms, and privacy-minded European bureaucrat has defined a large part of the continental political landscape of recent memory. Whether it's the right to be forgotten', the embattled EU-US Privacy Shield Framework or the tax-shrinking practices of Google and Amazon, Europeans have found fundamental problems with the practices that are central to the business model of so many tech companies.
The fine may not do too much to discipline a company with a valuation of around US$ 350 billion (£269 billion). Still, the decision to fine Facebook is an important one, declared Tomaso Falchetta, legal officer at Privacy International. This, Falchetta told SC, “demonstrates how the exploitation of data, such as the sharing of users' personal data, and the opacity surrounding the ways our data is used by companies such as Facebook are issues of concern not only from a data protection perspective but, increasingly, from a business, competition perspective too.”
Facebook may feel those fines a little more keenly come next year, when the long awaited General Data Protection Regulation(GDPR) comes into force. One of the core tenets of the GDPR, known as ‘Consent', is that users be given a clear choice over if and how their data is used. It comes with a heavy hand too: the non-compliant could be fined as much as €20 million, (£17.1 million) or four percent of global turnover.